From 1605b8471d64c855bc2493abf3adf6a1ebc3e645 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Wed, 9 May 2007 13:04:39 +1000
Subject: [PATCH] [CRYPTO] cryptomgr: Fix use after free

By the time kthread_run returns the param may have already been freed
so writing the returned thread_struct pointer to param is wrong.

In fact, we don't need it in param anyway so this patch simply puts it
on the stack.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 crypto/cryptomgr.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c
index 6958ea83ee440..e5fb7cca5107d 100644
--- a/crypto/cryptomgr.c
+++ b/crypto/cryptomgr.c
@@ -24,8 +24,6 @@
 #include "internal.h"
 
 struct cryptomgr_param {
-	struct task_struct *thread;
-
 	struct rtattr *tb[CRYPTOA_MAX];
 
 	struct {
@@ -81,6 +79,7 @@ static int cryptomgr_probe(void *data)
 
 static int cryptomgr_schedule_probe(struct crypto_larval *larval)
 {
+	struct task_struct *thread;
 	struct cryptomgr_param *param;
 	const char *name = larval->alg.cra_name;
 	const char *p;
@@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval)
 
 	memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME);
 
-	param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
-	if (IS_ERR(param->thread))
+	thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
+	if (IS_ERR(thread))
 		goto err_free_param;
 
 	return NOTIFY_STOP;
-- 
GitLab